Assigning privileges in an access control system

ABSTRACT

An access control system may include a log data parser that receives log data observations in a cloud system and extract user-permission data from the log data observations. The system may also include a clustering unit that uses the user-permission data to generate one or more clusters, each cluster associated with one or more users. Alternatively, and/or additionally, the system may include a feature extractor and a classifier. The feature extractor may extract one or more features from the user-permission data. The classifier may generate predictions of permissions for the one or more users based on the extracted one or more features. The system may also include a policy generator that uses the output of the clustering unit and/or the classifier to generate an access control policy. The policy may be executed in the cloud system to control user&#39;s access to one or more services of the system.

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims priority under 35 U.S.C. § 119 to U.S.provisional application No. 62/746,090 entitled “Assigning Privileges inan Access Control System,” filed on Oct. 16, 2018, and which isincorporated by reference herein in its entirety for all purposes.

FIELD

The present disclosure relates generally to access control systems andexamples of assigning privileges in an access control system aredescribed.

BACKGROUND

Cloud computing has revolutionized the information technology industry.Organizations leverage cloud computing to deploy IT infrastructure thatis resilient, affordable, and massively scalable with minimal up-frontinvestment. Cloud providers have seen significant growth recently withincreased cloud computing industry revenue. Despite the wide adoption ofcloud computing, there are still issues regarding security and usabilitythat should be addressed.

Existing automatic methods, such as role mining problem (RMP), createrole based access control (RBAC) policies by finding an optimal set ofroles from existing user permissions. However, the RMP method does notaddress how secure or complete a policy is because the RMP methodevaluates an RBAC configuration based on maintainability of theunderlying policy. Completeness addresses minimizing under-privilege andsecurity addresses minimizing over-privilege. Further, a RMP methodgenerally assumes that given data naturally fits into an RBAC policythat is both easy to maintain and secure. This method also relies onexisting or manually created user-permission assignments, which is anadministrative burden. For example, a service may be associated withseveral dozen to several hundred privileges. Pre-generating policiesrequire an operator to understand both the actions (available in eachservice), resources required by each privileged entity, as well as thegranularity of access control policy available for each service.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an example cloud system according tovarious aspects of the present disclosure.

FIG. 2 is a diagram of an example privilege assignment system accordingto various aspects of the present disclosure.

FIG. 3 illustrates an example of a process of generating a policy ofaccess control according to various aspects of the present disclosure.

FIG. 4 is a diagram of an example privilege assignment system accordingto various aspects of the present disclosure.

FIG. 5 illustrates an example of a process of generating a policy ofaccess control according to various aspects of the present disclosure.

FIG. 6 is an example block diagram of a computing device that can beused to implement various systems and methods described herein.

DETAILED DESCRIPTION

Various embodiments of the present disclosure will be explained below indetail with reference to the accompanying drawings. The followingdetailed description refers to the accompanying drawings that show, byway of illustration, specific aspects and embodiments in which thepresent invention may be practiced. Other embodiments may be utilized,and structure, logical, and electrical changes may be made withoutdeparting from the scope of the present invention. The variousembodiments disclosed herein are not necessarily mutually exclusive, assome disclosed embodiments can be combined with one or more otherdisclosed embodiments to form new embodiments.

In a cloud systems and other computing networks, when a user wishes touse or access a service of the cloud system, the system checks theuser's assigned permissions against the privilege of the service thatthe user requests to use. For example, a cloud service, such as AmazonSimple Storage Service, may allow a user to upload a file and retrieve afile to and from the cloud. A user may be assigned a permission, and thecloud service may also have a privilege associated with a useroperation. Based on the comparison of the user's permissions and theprivilege of the service the user wishes to use, the cloud system maygrant or deny the service to the user. In some examples, an accesscontrol system assigns permissions to a user of the cloud system basedon the log data in the cloud system, where the log data records one ormore user operations in the cloud system. The access control system usesthe log data as available in the cloud system, parses the log data toextract user-permission data, and uses the user-permission data togenerate the permissions for the users. In some examples, the accesscontrol system assigns minimal privileges that may not be unnecessarilyhigher than the needed privilege to a user. The access control systemmay use clustering to group together and assign privileges to users of acloud based system and/or may use predicative techniques to generateprivileges for users. As discussed below, these techniques help ensureusers are provided adequate privileges, that will allow them access tothe required features, but without being overly permissive.

Within a cloud or computing system or structure, a user may be assignedto one or more roles. Similarly, a role may be assigned to one or moreusers. An example of a role may include a collection of permissions. Forexample, a role may contain the operations that can be performed, suchas read, write, and delete. Roles can be high-level, like owner, orspecific, like virtual machine reader. A role may have one or morepermissions, each corresponding to an operation in the role. Thepermissions available to a user may include the permissions assigned tothe roles with which the user is associated.

In one example, in assigning the privileges to users, the access controlsystem uses a clustering algorithm to cluster users with similarbehaviors into the same cluster, e.g., users that access a particularprivilege are grouped together and indicated as a particular group.Using the clusters, users are assigned privileges based on theirgrouping, e.g., a first cluster of users will be assigned the samepermissions as one another and a second cluster of users is assigned thesame privileges as one another, where the privileges of the secondcluster may be different from the first cluster. The cluster privilegesare determined by the permissions exercised by all of the usersassociated with that cluster.

In another example, in assigning the privileges to users, the accesscontrol trains a classifier or other supervised learning algorithm basedon the users' past accesses to the system. For example, the accesscontrol system extracts certain features from the log data of the cloudsystem and uses the extracted features to train the classifier, such asa decision-tree classifier. The access control then uses the trainedclassifier to predict the permissions of the users of the cloud system

Turning now to the figures, a system of the present disclosure will bediscussed in more detail. FIG. 1 is a block diagram of an example cloudsystem according to various aspects of the present disclosure. A cloudsystem 100 may include multiple services, e.g., 104(1), 104(2) . . .104(N) (collectively referred to as 104). A service 104 may beconfigured to provide one or more computing services. For example,service 104 may be a product, an application, or an IT service availablefor deployment on Amazon web services (AWS) or other cloud based serviceofferings. In a non-limiting example, a service may include a printservice that executes a print job. In another non-limiting example, aservice may include a game on a cloud system that the user may accessand play. In another non-limiting example, a service may include anapplication that can be executed on the cloud system. A product mayinclude one or more resources, such as storage volumes, monitoringconfigurations, databases, printers, CPU cycles, or other resources orproducts. The system 100 may also include multiple user devices, e.g.,106(1), 106(2), 106(3) . . . 106(M) (collectively referred to as 106).Examples of a user device may include a server device, a desktopcomputer, a mobile electronic device, an embedded computing device, amicro-controller, or any other suitable devices having a processor and acommunication peripheral. A user device 106 may be associated with oneor more users, and may communicate with one or more services 104 via acommunication network 102.

The communication network 102 may be any suitable type or combination oftypes of communication system for transmitting data either through wiredor wireless mechanisms (e.g., WiFi, Ethernet, Bluetooth, cellular data,or the like). In some examples, certain components, e.g., services 104or devices 106, in the cloud system 100 may communicate via a first mode(e.g., Bluetooth) and others may communicate via a second mode (e.g.,WiFi). Additionally, certain components may have multiple transmissionmechanisms and be configured to communicate data in two or more manners.The configuration of the communication network 102 and communicationmechanisms for each of the components may be varied as desired and basedon the needs of a particular configuration, function, or property.

In a non-limiting example, a server device may be associated withmultiple users and allow the users to have access to one or moreservices 104. In a non-limiting example, a mobile electronic device maybe associated with a user and provide the user access to one or more ofthe services 104, where the access is based on an access control policy.

In some examples, the system 100 may further include a privilegeassignment system 110 that generates an access control policy includingone or more assigned privileges or permissions per user. The system thenexecutes the policy generated from the privilege assignment system 110to facilitate access control of the system 100. For example, a policymay include an assigned read privilege for a first role and a printprivilege for a second role, where the first role may be associated withusers A and B, and the second role may be associated with users B and C.Such policy may be applicable to RBAC. In the instant example, once thepolicy is executed in the system 100, a job that requires read privilegemay be granted for users A and B, a job that requires print privilegemay be granted for users B and C, and a job that requires both read andprint privileges may be granted for user B only. A user may need toaccess one or more services in order to complete a computing task, inwhich case the privilege required by each service must be granted by acombination of the permissions of role(s) associated with the user inorder for the task to be granted.

In some examples, a policy may include an assigned privilege level ortier, such as, for example, “Secret” for users A and B, and an assignedprivilege level of “Confidential” for user C. Such policy may beapplicable to Mandatory Access Control (MAC) based system. For example,a system may be dealing with documents marked “Confidential”, “Secret”,and “Top Secret” where access to the highest level implies access tolower levels as well. In such case, once the policy is executed in thesystem 100, users A and B may be able to access a service requiring toaccess “Secret” and “Confidential” document because the privilege levelof users A and B are equal or above the privilege level required of theservice. However, user C may not be able to access the service becausethe privilege level of user C (e.g., “Confidential) is below theprivilege level of the service (e.g., “Secret”). A user may need toaccess one or more services in order to complete a computing task, inwhich the assigned permissions for the user must be no lower than theprivilege levels of all of the services to be used in completing thetask.

In some examples, the generation of the policy for the system 100 may bebased on a least privilege rule under which privileged entities of asystem operate using the least amount or level of privileges necessaryto complete its job. In these instances, the privilege assignment system110 assigns, minimal permissions and not unnecessarily more than theneeded privilege. In some examples, the privilege assignment system 110may retrieve from the cloud system log data that records multiple useraccesses across the cloud system in one or more observations, and usethe log data to generate the policy. An observation may correspond tolog data that records user accesses across a cloud system in a timeperiod, namely an observation period. In some examples, multipleobservation periods, may correspond to multiple non-overlapping timeperiods. In other examples, multiple observations may correspond tooverlapping time periods. In that case, the observations in twooverlapping observation periods may include certain user access datathat is common in both the first observation period and the secondobservation period. The privilege assignment system 110 may beconfigured to minimize both over-privilege and under-privilege ingenerating the policy.

FIG. 2 is a diagram of an example privilege assignment system, such asprivilege assignment system 110 in the cloud system 100 (FIG. 1),according to various aspects of the present disclosure. In someexamples, a privilege assignment system 200 may include a log dataparser 204, which receives audit log data observations 202.

In some examples, the audit log data may include various informationassociated with operations exercised by a user. For example, in a cloudsystem, such as the AWS, the log data may be contained in a log file,which may include any of the CloudTrail Log File, where CloudTrailmonitors events for a user account. In some non-limiting examples, thelog file may record a user making a call to a server, a console backendmaking a call to a user, or a user making a call to an action to createa new user. A log records the identity of the user, the operationsrecorded in the log, the privileges/permissions associated with theoperations, and/or resources utilized in the operation.

The log data parser 204 may be configured to parse the log data 202 andextract user-permission data 206. In some examples, user-permission data206 may correspond to a user accessing any of the services in the logdata. For example, the user-permission data may include a user'sidentity and the permission associated with the service being accessed.In some examples, the audit log data may be stored in a suitable dataformat, such as a flat file or a syntax based format, such as anextensive markup language (XML). In the latter case, the log data parser204 may include an XML parser that parses the data in the XML format andextracts the user-permission data. The extracted user-permission data206 may be stored in a memory location in any suitable format, such as aflat file, an XML file, or other suitable formats.

In some examples, the system 200 may further include a clustering unit212 that clusters the audit log data. For example, the clustering unitmay receive the user-permission data 206, analyze the data, anddetermine clusters of similar privileged entities based on thepermissions exercised. In the example in FIG. 2, the output of theclustering unit 212 may include one or more clusters, e.g., 214(1),214(2) . . . 214(N). The clusters may correspond to roles. For example,a cluster may correspond to a role. In other words, the number ofcluster correspond to the number of roles in the system. A cluster mayinclude one or more users and permissions associated with each of theusers. In some examples, the system 200 may further include a policygenerator 224, which generates the access control policy based on theclustering results from the clustering unit 212.

In a non-limiting example, the policy generator 224 may assign eachcluster a shared role and grant permissions to that cluster. This isfurther described as below.

Input: The set of user-permissions exercised (U PE) during theobservation period(OBP) Output: roles, the mapping of user-to-permissionassignments  1 roles, documents ← Ø;  2  for user , perm ∈ U PE do  3documentsuser ← documentsuser ∪ perm;  4  end  5 clusters, outliers ←cluster (documents );  6  for cluster ∈ clusters do  7 role ← Ø;  8 foruser , document ∈ cluster do  9 for perm ∈ document do 10 role ← role ∪perm; 11 end 12 end 13 rolesuser ← role; 14  end 15 for user , document∈ outliers do 16 for user , perm ∈ document do 17 rolesuser ← rolesuser∪ perm; 18 end 19  end 20  return roles

In some examples, the first cluster, e.g., 214(1), may include a firstshared role (e.g., Role 1) associated with User 1 and User 2. A secondcluster, e.g., 224(2), may include a second shared role (e.g., Role 2)associated with User 3. The policy generator 224 may assign permissionsto each of the roles in the clusters. In assigning permissions for arole, the policy generator 224 may determine the permissions of entitiesin that role and assign a combined permission to that role. For example,a combined permission for a role may include a combination of all of thepermissions exercised by all of the users in that role. In the instantexample, if User 1 in Role 1 has acted with permissions read and write(as determined from the user-permission data) and User 2 in Role 1 hasacted with permission read (also determined from the user-permissiondata), then the policy generator 224 may assign permissions read andwrite to Role 1 in the first cluster. In some instances, the combinationof similar entities results in granting additional permissions to one ormore users. For example, new permissions may be assigned to a user basedon the permissions exercised by other users that have behaved similarly.This is useful in environments where minimizing under-privilege is moreimportant than minimizing over-privilege.

In some examples, after the clustering has completed for allentities/users, some entities/users may not belong to any clusters fromthe clustering unit 212. These entities are called outliers. In somescenarios, the policy generator 224 may include a naïve policy generator222, which assigns permissions to the outliers. For example, the naïvepolicy generator 222 may grant permissions to the entities/users in theoutliers based on the privileges used or exercised during theobservation period. In other words, each of the entities/users in theoutlier is a separate role and can be considered a cluster of one, andthen is granted the same permissions that used by that entity in theobservations.

With further reference to FIG. 2, the clustering unit 212 may beconfigured to implement any suitable clustering algorithms. For example,the clustering unit 212 may use a density-based spatial clustering ofapplications with noise (DBSCAN) algorithm. In a non-limiting example,an implementation of the DBSCAN may be available, such as from thescikit-learn library (see Pedregosa, F., et al. 2011. Scikit-learn:Machine Learning in Python. Journal of Machine Learning Research 12(2011), 2825-2830), which was published in Martin Ester, Hans-PeterKriegel, Jörg Sander, Xiaowei Xu, et al. 1996, A density-based algorithmfor discovering clusters in large spatial databases with noise, InKnowledge discovery in databases (KDD), Vol. 96. AAAI Press, 226-231.The DBSCAN algorithm provides advantages in that no expected number ofclusters needs to be specified in advance. The performance of DBSCANalso scales well in regards to the number of samples given.

Additionally and/or alternatively, the system 200 may include avectorizer 208, which converts the user-permission data 206 into vectorsthat can be used by the clustering unit 212. For example, the vectorizer208 may generate a document corpus 210 based on the user-permissiondata. The document corpus 210 may include multiple documents, where thedocuments include permissions exercised by an entity. A document in thedocument corpus 210 may also include other information collected in thelog data, such as operations and resources. In some examples, once thedocument corpus 210 is formed, the vectorizer 208 may convert thedocuments in the document corpus to a feature vector for clustering. Forexample, the vectorizer 208 may be a term frequency-inverse documentfrequency (TF-IDF) vectorizer.

TF-IDF refers to an approach for finding similar documents ininformation retrieval (see Christopher D. Manning, Prabhakar Raghavan,and Hinrich Schütze; Introduction to Information Retrieval, CambridgeUniversity Press 2008, New York, N.Y., USA. 117-119). A vector documentproduced by the TF-IDF vectorizer may include all of the permissionsexercised by a user in the observation period. The vector document mayalso include other terms associated with user's access, such as theoperations and resources utilized by the user during the observation.The TF-IDF vectorizer may determine a composite weight for each term ina document, this is sometimes referred to as TF-IDF weighting. Each termmay result in one dimension in the vector space. TF-IDF weighting hasadvantages in that it preserves information about how often eachpermission is exercised by a user. The result of the vectorizer mayinclude multi-dimensional vector features that are ready for clustering.

Returning to clustering unit 212, in some examples, the DBSCAN algorithmrequires hyper-parameter for DBSCAN, such as E, the distance threshold,which is the maximum distance between two samples above which the twosamples should not be considered to be in the same cluster. There can bevarious ways to determine the parameter E: the mean distance between allpoints, median distance between all points, and middle point between theminimum and maximum points in the vector space. Other ways ofdetermining or assigning a threshold may also be possible. In someexamples, an operator may also manually vary the threshold value.

Additionally, and/or alternatively, other clustering algorithms may beused. For example, a hierarchical clustering algorithm may be used ingenerating hierarchical roles in which users' roles may overlap. In someexamples, a user may be a member of multiple roles. For example, a useris a member of a child role, which is the child of a parent role. Inthat case, the clustering unit 212 may use a hierarchical clusteringalgorithm.

FIG. 3 illustrates an example of a process that can be implemented in aprivilege assignment system, such as system 200 (in FIG. 2), to generatea policy of access control according to various aspects of the presentdisclosure. In some examples, process 300 may include receiving log dataat 302. For example, process 300 may collect log data from users'accesses to multiple services in a cloud system (e.g., 100 in FIG. 1).The log data may be collected in an observation period in a similarmanner as described in FIG. 2. The observation period may be one dayperiod or other select length that provides sufficient time for entitiesto complete tasks requiring related privileges. The observation periodmay also vary as the tasks vary, e.g., in instances where tasks mayrequire more than a day, the observation period can be extended or ininstances where the tasks require less time the observation period maybe reduced. The observation period may also be selected based on userinvolvement or tracking, e.g., selected to extend through an amount oftime where a substantial percentage of the users have accessed thesystem

In FIG. 3, process 300 may further include parsing log data at 304. Forexample, the process 300 may use the log data parser 204 (in FIG. 2) togenerate user-permission data from the log data. Optionally, process 300may further convert data to vectors at 306, where the converted vectordata may be usable by a clustering unit. When converting data to vectorsat 306, any suitable vectorisors, such as vectorizer 208 (in FIG. 2). Ina non-limiting example, a TF-IDF vectoriser may be used. The process 300may further include clustering the vector data at 308, from which aresulting cluster includes similar privileged entities based on theirpermissions exercised.

When clustering data at 308, any suitable clustering unit, such as 212(in FIG. 2) may be used. For example, the clustering process at 308 mayuse a DBSCAN clustering algorithm described with reference to FIG. 2.Block 308 may generate one or more clusters. In a non-limiting example,a cluster may include one or more users. Similar to the clustering unitdescribed in FIG. 2, the DBSCAN algorithm may require hyper-parameter,such as E, the distance threshold, which is the maximum distance betweentwo samples above, which the two samples should not be considered to bein the same cluster. Block 308 may use various ways to determine theparameter E. For example, the threshold may have a value that is themean distance between all points, a value that is the median distancebetween all points, or a value that is the middle point between theminimum and maximum points in the vector space. In some examples, box308 may also use other suitable clustering algorithms, such as ahierarchical clustering algorithm.

The process 300 may further generate a policy at 312. For example, theprocess 300 may generate the policy using a policy generator previouslydescribed, such as 224 (in FIG. 1). In generating the policy, block 312may assign a role to a cluster, for example, and may also assignpermissions to a role. In some examples, block 312 may assignpermissions for a role, for example, by determining all of thepermissions of all entities in that role and assign a combinedpermission to that role. This may be implemented in a similar manner aspolicy generator 224 described in FIG. 2.

With further reference to FIG. 3, additionally, and/or alternatively,process 300 may also process outliers at 310 as the result of clusteringprocess 308. Outliers may include entities that do not belong to any ofthe clusters from the clustering block at 308, in which case an entitybelongs to a single cluster. In processing the outliers, block 310 mayassign an outlier as a separate role, and use a naïve policy method toassign permissions to that role. For example, the process may grantpermissions to the entities in the outliers based on the privileges theyused during the observation period. In other words, an entity in theoutliers is a separate role and is granted the same permissions thatwere used by that entity in the observations.

In FIG. 3, process 300 may further execute the policy at 314. Forexamples, the policy generated from the block 312 may include theassignment of roles and the assignment of permissions for each role,where a role is associated with one or more users. When the policy isexecuted in the cloud system (e.g., 100 in FIG. 1), a user may beassociated with a role, and a role is associated with one or morepermissions. The cloud system may determine, based on the policy,whether the user's operations should be granted. For example, when auser attempts to send a print job to a printer, the cloud systemcompares the set of privileges required to execute the print jobrequested and the permissions of the role(s) assigned to the user. Ifall of the privileges required by the print request are granted by thecombination of all roles associated with the requesting user then therequested job is granted. In an example, a user may be associated withtwo roles: an owner, which has a print permission; and a virtual machinereader, which has a read permission in a virtual machine. A requestedprint job may require a permission to read from the virtual machine anda print permission. In such case, the combination of both roles of theuser may include the required privileges of the print request.Consequently, the requested job may be granted. If not all of therequired privileges of the print job are granted by the combination ofall roles associated with the requesting user, then the print job is notgranted.

In some or other scenarios, the privilege assignment system (e.g., 110in FIG. 1) may have variations. FIG. 4 is a diagram of an exampleprivilege assignment system, such as privilege assignment system 110 inthe cloud system 100 (in FIG. 1), according to various aspects of thepresent disclosure. Privilege assignment system 400 may include a logdata parser 410, which receives audit log data observations 402. Theaudit log data observations 402 may contain similar contents andcollected in a similar manner as described in FIGS. 2 and 3. The logdata parser 410 may also be configured in a similar manner as the logdata parser 204 (in FIG. 2). Similar to FIG. 2, log data parser 410 mayparse the log data 402 and generate user-permission data 412.

System 400 may further include a feature extractor 406 and a classifier408. The feature extractor 406 extracts one or more features from theparsed log data for the classifier 408. For example, the features mayinclude the time at which a permission was exercised. The features mayalso include a unique identifier of the executing entity and the type ofentity. In some scenarios, such as in AWS, the type of entity mayinclude user or a delegated role. The features may further include theservice to which the action belonged, and the type of action performed.The features may also include the organization department to which theentity belongs. In some examples, in extracting the time when apermission was exercised, the feature extractor may use a time windowinstead of an absolute time. For example, the time at which a permissionwas exercised may include a weekend, weekday, and/or a specific day ofthe week. The classifier 408 may use one or more of the extractedfeatures depending on availability. For example, in cases where theuser's roles are not available (for small organizations), the classifier408 may use fewer features.

In some scenarios, the classifier 408 generates a prediction ofpermissions for a user action. For example, the classifier 408 mayinclude a decision tree (DT) classifier that implements a supervisedlearning algorithm. The DT classifier may provide advantages in speedand also has the ability to display the set of rules learned duringclassification. The DT classifier may be available in existinglibraries, such as the scikit-learn library (see Pedregosa, F., et al.,Scikit-learn: Machine Learning in Python, Journal of Machine LearningResearch 12 (2011), 2825-2830). In some examples, the classifier 408 maybe a binary classifier. In a non-limiting example, the classifier maygenerate a prediction of either granted or denied for each user action.

With further reference to FIG. 4, the system 400 may further include atraining network 418 to train the classifier 408. In some examples, thetraining network 418 implements a supervised learning approach. Forexample, the training network 418 may include the log data parser 410,the feature extractor 406, and a classifier generator 420. The log dataparser 410 may receive training log data 404 to generate the traininguser-permission data 412. The feature extractor 406 may generatetraining features based on the training user-permission data. Ingenerating the training features, the same feature extractor 406 may beused. The classifier generator 420 may further receive the trainingfeatures and train the classifier 408 by generating one or moreclassified algorithm parameters. The classifier generator may also usethe same DT algorithm as in the classifier 408.

The feature extractor 406 may extract suitable features for training andclassification. In some examples, the features extracted may include:username, service, action, and user identity type (e.g., whether thecaller is a user or non-person entity). Additionally, and/oralternatively, the features may include one or more log entries such asthe day of week, and whether the day was a weekend or weekday. In someexamples, the system may derive the day from the event timestamp.Additionally, and/or alternatively, the features may include derivedfeatures from an action. For example, AWS actions include a verb and anoun placed together using CamelCase such as “DeleteInstance” or“CreateBucket.” In an example, the system may determine the first wordof actions, e.g., a verb, and use that “verb” as a derived feature.Based on the derived feature, the system may classify the action aseither a Create, Read, Update, Delete, or Execute action. The system mayuse any suitable field in the logs as a feature either directly, or withsome logic applied to derive features. For example, in AWS, log fieldsthat could be used directly for features may include thesourceIPAddress, awsRegion, userAgent, and eventType.

In obtaining the training log data 404, the system may construct atraining set of documents from the permissions exercised during theobservation period and select a subset of previous data for creating theclass labels. This is illustrated in line 3 of the pseudo code shown asbelow.

INPUT: UPE User-Permissions Exercised. The set of user-permissionsexercised duringthe observation period OBP Input: PRMS The set ofpossible permissions Input: TSP Training Set Parameters. Mapping ofparameters used to build the trainingset Input: CAP Classifier AlgorithmParameters. Mapping of parameters used to buildthe predicted policy froma trained classifier Input: PGP Policy Generation Parameters. Mapping ofparameters used to build thepredicted policy from a trained classifierOutput: policies Mapping storing the roles generated by each of theclassifierinstances  1 policies ← Ø;  2 for t Params ∈ permute(TSP) do 3 f eatureVector , labelSet← createTrainingSet(t Params, U PE);  4 forcl f Params ∈ permute(CAP) do  5 cl f ← decisionTree(cl f Params);  6 clf ← clf.train( f eatureVector , labelSet );  7 for pParams ∈permute(PGP) do  8 roles ← Ø;  9 possiblePrivs ←createPossiblePrivs(pParams, PRMS); 10 for user , perm ∈ possiblePrivsdo 11 if clf.predict(user , perm) = = ‘granted’ then 12 rolesuser ←rolesuser ∪ perm; 13 end 14 end 15 policiest Params,clf Params,pParams ←roles; 16 end 17 end 18 end 19 return policies

In generating the classifier, the classifier generator 420 may use thetraining set for each permutation of the Classifier Algorithm Parameters(CAP) (at lines 4-6 of pseudo code in preceding paragraph). Thesemultiple instances of the classifier with different permutations of theCAP may be used for hyper-parameter selection using a “slidingsimulation” method. The system 400 may further create a set of possiblepermissions that may be exercised during the operation period based onthe Policy Generation Parameters (PGP) (line 9 of pseudo code inpreceding paragraph). In training the classifier, each of the possiblepolicy permissions is tested against the classifier which will predictthat the permission should be either granted or denied, and the resultsof this classification are used to create the policy for the nextoperation period (lines 10-15 of pseudo code in preceding paragraph).

Now, a “sliding simulation” method is further explained. Severalhyper-parameters may be selected for the classifier. For example, forthe DT classifier, the parameters may include the parameters for thedecision tree classifier, the parameters for constructions of thetraining set, and the parameters for the policy construction from thetrained classifier. In some examples, selecting optimizedhyper-parameters may be based on only out-of-sample data. For example,the classifier generator 420 may run multiple permutations of parametersin parallel on out-of-sample data and use the best performing parametersto create a future prediction. In some examples, a security policy is aprediction, and a weighted F measure, e.g., Fβ score, is used in theprediction. The Fβ may be calculated as:Fβ=(1+β²)·Precision·Recall/((β²·Precision)+Recall)

A high value of weight β increases the importance of recall, while a lowβ values increases the importance of precision. While the recall andprecision may correspond to under-privilege and over-privilege,respectively, in some examples, the classifier generator 420 may givemore weight to reducing over-privilege. This may be aligned with anobservation that some organizations are willing to accept more risk fromover-privilege, which minimizes the cost of privileged entities notbeing able to perform their duties due to under-privilege.

In some examples, metrics other than the F measure may be used tobalance between these competing goals of reducing over-privilege andalso reducing under-privilege. For example, a simple arithmetic mean ofprecision and recall may be used. A combination of precision and recall,such as multiplication of the two, may also be used. A weightingvariable can be used with the mean or product to allow a user (e.g.,admin user) to favor minimizing over-privilege or under-privilege.

Returning to FIG. 4, the system 400 may further include a policygenerator 414 that generates a policy based on the predictions from theclassifier 408. For example, the predicted policy may include one ormore permissions associated with each entity.

In some examples, the classifier generator 420 may also implementvarious optimization methods. For example, the classifier generator 420may use a portion of the log data observations, for example, only themost recent exercised permissions. This may improve the performance ofthe system as training a classifier with older and less relevantpermissions, which may have a negative effect on the predictionaccuracy. In some examples, the audit log data 402 and training log data404 may include completely separate data sets. For example, audit logdata 402 and training log data 404 may be collected during separateperiods, for example, the first month and second month, respectively.Alternatively, the audit log data 402 and training log data 404 may haveoverlapped data sets in time. For example, large amount of log data maybe collected over a period of time, and segmented into time segments. Aportion of the log data that includes multiple time segments (e.g.,Tue-Fri) may be used for audit log data, and another portion of the logdata comprising multiple time segments (e.g., Wed-Mon) may be used fortraining log data, where the audio log data and training log data spanacross the same time period.

FIG. 5 illustrates an example of a process that can be implemented in aprivilege assignment system, such as system 400 (in FIG. 4), to generatea policy of access control according to various aspects of the presentdisclosure. In some examples, process 500 may include receiving log dataat 502. For example, process 500 may collect log data from users'accesses to multiple services in the cloud system (e.g., 100 in FIG. 1).In some scenarios, the log data may be collected in an observationperiod in a similar manner as described in system 400 (in FIG. 4). Forexample, the observation period may be a one day period, which mayprovide enough time for entities to complete tasks requiring relatedprivileges. The observation period may also vary as the tasks vary.

In FIG. 5, process 500 may further include parsing log data at 504. Forexample, the process 500 may use the log data parser 410 (in FIG. 4) togenerate user-permission data from the log data. Optionally, process 500may further extract features from the log data at 506, where theextracted features may be used by a classifier. When extracting featuresat 506, any suitable feature extractors, such as feature extractor 406(in FIG. 4), may be used. In a non-limiting example, multiple featuresmay be extracted. The examples of the extracted features may include oneor more of: the time at which a permission was exercised, a uniqueidentifier of the executing entity, the type of entity, the service towhich the action belonged, the type of action performed, and theorganization department to which the entity belongs. In some scenarios,such as in AWS, the type of entity may include user or a delegated role.

Similarly, process 500 may also include receiving training log data at514, parsing log data at 516 and extracting features at 518, and usingthe extracted features to train a classifier at 520. In some examples,parsing log data at 516 may implemented in a log data parser, such asparser 410 (in FIG. 4). Extracting features at 518 may be implemented ina feature extractor, such as 406 (in FIG. 4). Training the classifier at520 may be implemented in a classifier generator, such as 420 (in FIG.4).

Training the classifier at 520 may use any suitable classifier, forexample, a DT classifier that implements a supervised learningalgorithm. Process 500 may further include generating predictions at 508from the extracted features based on a trained classifier, such asclassifier 408 (in FIG. 4). In some examples, the trained classifierfrom 520 may be a binary classifier. In a non-limiting example, theclassifier may generate a prediction of either granted or denied foreach user action.

Process 500 may further include generating a policy at 510 based on thepredictions generated at block 508. In some examples, the policy mayinclude one or more permissions associated with each entity. Process 500may include various optimization methods, such as in collecting log datain a similar manner as described in FIG. 4.

In FIG. 5, process 500 may further execute the policy at 512. Forexamples, the policy generated from the process 512 may include theassignment of roles, where a role is associated with one or more users,and the assignment of permissions for each role. When the policy isexecuted in the cloud system (e.g., 100 in FIG. 1), a user may beassociated with a role, and a role is associated with one or morepermissions. The cloud system may determine, based on the policy,whether a user's operation be granted. For example, when a user attemptsto send a print job to a printer, the cloud system determines whetherthe privilege associated with the print job requested are granted by thepermissions of the role(s) associated with the user. If the privilegeassociated with the print job are granted by a combination of thepermissions of the role(s) associated with the user, then the requestedjob is granted. Otherwise, the user is denied of the operationrequested.

In various embodiments in FIGS. 2-5, such as system 200 (in FIG. 2),system 400 (in FIG. 4), process 300 (in FIG. 3), and process 500 (inFIG. 5), training the classifier may also use time series decompositionto identify patterns in the log data and decomposes the log data intodifferent models based on those patterns. For example, it is observedthat there may be significant differences between the privilegesexercised during weekdays and weekends. In some examples, time seriesdecomposition may include filter decomposition. For example, the days(e.g., weekends) that do not fit into a chosen model (e.g., weekday) arefiltered out of one or more observation periods in a sliding windowbefore the data is used by the algorithms. In some examples, time seriesdecomposition may also include filler decomposition. For example, theend date of a sliding window is used as a starting point. Whendetermining an observation period, the system or process moves from thestarting point backward until the observation period is “filled” withonly data matching a chosen model. For example, consider a slidingwindow with a window size of 10 days. For the filter method, the numberof days fitting the weekday model will vary from 6 to 8, and the numberof days fitting the weekend model will vary from 2 to 4. For the fillermethod, the number of days fitting a model will always be 10 days whenthe sliding window size is 10 days.

Various embodiments described in FIGS. 1-5 provide advantages overexisting systems and methods. For example, no pre-existing policy isnecessary. The systems and processes may generate a policy based onaudit log data. Further, decomposing the time series may provide severaladvantages. For example, in the filter method, less training data isneeded for training the classifier, as the classifier does not need tolearn the different behavior patterns in weekdays or weekends. Further,information about weekday or weekend patterns can be used inhyper-parameters that control the creation of the training set.

FIG. 6 shows a simplified block structure for a computing device thatmay be used with the system 100 (in FIG. 1) or integrated into one ormore components of the system. For example, the privilege assignmentsystem 110, the service 104, and/or one or more devices 106 may includeone or more of the components shown in FIG. 6 and be used to implementone or blocks or execute one or more of the operations disclosed inFIGS. 2-5. In FIG. 6, the computing device 600 may include one or moreprocessing elements 602, an input/output interface 604, a display 606,one or more memory components 608, a network interface 610, and one ormore external devices 612. Each of the various components may be incommunication with one another through one or more busses, wirelessmeans, or the like.

The processing element 602 may be any type of electronic device capableof processing, receiving, and/or transmitting instructions. For example,the processing element 602 may be a central processing unit,microprocessor, processor, or microcontroller. Additionally, it shouldbe noted that some components of the computer 600 may be controlled by afirst processor and other components may be controlled by a secondprocessor, where the first and second processors may or may not be incommunication with each other.

The memory components 608 are used by the computer 600 to storeinstructions for the processing element 602, as well as store data, suchas the fluid device data, historical data, and the like. The memorycomponents 608 may be, for example, magneto-optical storage, read-onlymemory, random access memory, erasable programmable memory, flashmemory, or a combination of one or more types of memory components.

The display 606 provides visual feedback to a user and, optionally, canact as an input element to enable a user to control, manipulate, andcalibrate various components of the computing device 600. The display606 may be a liquid crystal display, plasma display, organiclight-emitting diode display, and/or cathode ray tube display. Inembodiments where the display 606 is used as an input, the display mayinclude one or more touch or input sensors, such as capacitive touchsensors, resistive grid, or the like.

The I/O interface 604 allows a user to enter data into the computer 600,as well as provides an input/output for the computer 600 to communicatewith other devices or services (e.g., services 104 in FIG. 1, othercomputers, speakers, etc.). The I/O interface 604 can include one ormore input buttons, touch pads, and so on.

The network interface 610 provides communication to and from thecomputer 600 to other devices. For example, the network interface 610allows the device 106 to communicate with one or more services 104through the network 102 (in FIG. 1). The network interface 610 includesone or more communication protocols, such as, but not limited to WiFi,Ethernet, Bluetooth, and so on. The network interface 610 may alsoinclude one or more hardwired components, such as a Universal Serial Bus(USB) cable, or the like. The configuration of the network interface 610depends on the types of communication desired and may be modified tocommunicate via WiFi, Bluetooth, and so on.

The external devices 612 are one or more devices that can be used toprovide various inputs to the computing device 600, e.g., mouse,microphone, keyboard, trackpad, or the like. The external devices 612may be local or remote and may vary as desired.

The foregoing description has a broad application. For example, whileexamples disclosed herein may focus on a cloud system, it should beappreciated that the concepts disclosed herein may equally apply toaccess control and policy management in other systems, such as adistributed, central or decentralized system. For example, privilegeassignment system (e.g., 110 in FIG. 1) may be residing on a server in aclient/server system. The privilege assignment system may also beresiding on any device on the network and operate in a decentralizedmanner. Accordingly, the disclosure is meant only to provide examples ofvarious systems and methods and is not intended to suggest that thescope of the disclosure, including the claims, is limited to theseexamples.

All directional references (e.g., proximal, distal, upper, lower,upward, downward, left, right, lateral, longitudinal, front, back, top,bottom, above, below, vertical, horizontal, radial, axial, clockwise,and counterclockwise) are only used for identification purposes to aidthe reader's understanding of the present disclosure, and do not createlimitations, particularly as to the position, orientation, or use ofthis disclosure. Connection references (e.g., attached, coupled,connected, and joined) are to be construed broadly and may includeintermediate members between a collection of elements and relativemovement between elements unless otherwise indicated. As such,connection references do not necessarily infer that two elements aredirectly connected and in fixed relation to each other. The drawings arefor purposes of illustration only and the dimensions, positions, orderand relative sizes reflected in the drawings attached hereto may vary.In each of the figures, like numerals represent like items throughoutthe figures.

Also, as used herein, including in the claims, “or” as used in a list ofitems (for example, a list of items prefaced by a phrase such as “atleast one of” or “one or more of”) indicates an inclusive list suchthat, for example, a list of at least one of A, B, or C means A or B orC or AB or AC or BC or ABC (i.e., A and B and C). Also, as used herein,the phrase “based on” shall not be construed as a reference to a closedset of conditions. For example, an exemplary step that is described as“based on condition A” may be based on both a condition A and acondition B without departing from the scope of the present disclosure.In other words, as used herein, the phrase “based on” shall be construedin the same manner as the phrase “based at least in part on.”

From the foregoing it will be appreciated that, although specificembodiments of the present disclosure have been described herein forpurposes of illustration, various modifications and combinations may bemade without deviating from the spirit and scope of the presentdisclosure. The description herein is provided to enable a personskilled in the art to make or use the disclosure. Various modificationsto the disclosure will be readily apparent to those skilled in the art,and the generic principles defined herein may be applied to othervariations without departing from the scope of the disclosure. Thus, thedisclosure is not limited to the examples and designs described herein,but is to be accorded the broadest scope consistent with the principlesand novel features disclosed herein.

What is claimed is:
 1. An access control system comprising: a processor;a log data parser configured to cause the processor to receive log dataobservations in a cloud system and extract user-permission data from thelog data observations, wherein the log data observations include one ormore user actions performed by one or more users in the cloud system; afeature extractor configured to cause the processor to extract one ormore features from the user-permission data; a classifier configured tocause the processor to generate predictions of permissions for the oneor more users based on the extracted one or more features, wherein eachprediction includes one or more permissions associated with each of theone or more users; and a clustering unit configured to cause theprocessor to use the predictions of permissions to generate one or moreclusters; and a policy generator configured to cause the processor togenerate an access control policy by associating each cluster to the oneor more users and assigning permissions to each cluster.
 2. The accesscontrol system of claim 1 further comprising a vectorizer configured toconvert the user-permission data to one or more vectors.
 3. The accesscontrol system of claim 2, wherein the vectorizer includes at least aterm frequency-inverse document frequency (TF-IDF) vectorizer.
 4. Theaccess control system of claim 1, wherein: the clustering unit isfurther configured to generate one or more outliers, each outlier isassociated with a user; and the policy generator is further configuredto assign permissions to each of the outliers by: determining privilegesused by the user associated with the outlier; and assigning theprivileges to the outlier.
 5. The access control system of claim 1 isfurther configured to: receive, from a user device associated with auser, a request to access a service in the cloud system; and execute theaccess control policy to determine whether to grant the request based ona permission of the user associated with the user device.
 6. The accesscontrol system of claim 1, wherein the policy generator is configured toassign the permissions to each cluster by: determining permissionsexercised by the one or more users associated with the cluster; andassigning a combined permission to the cluster, wherein the combinedpermission includes all of the permissions exercised by the one or moreusers associated with the cluster.
 7. The access control system of claim1, wherein the clustering unit is configured to use a density-basedspatial clustering of applications with noise (DBSCAN) algorithm.
 8. Amethod of controlling access in a cloud system, the method comprising:receiving log data observations recorded from the cloud system; parsinguser-permission data from the log data observations; extracting one ormore features from the user-permission data; generating, by aclassifier, predictions of permissions for the one or more users basedon the extracted one or more features, wherein each prediction includesone or more permissions associated with each of the one or more users;clustering the user-permission data, based on the predictions ofpermissions, to generate one or more clusters; generating an accesscontrol policy by associating each cluster to one or more users andassigning permissions to each cluster; receiving, from a user deviceassociated with a user, a request to access a service in the cloudsystem; and executing the access control policy to determine whether togrant the request based on a permission of the user associated with theuser device.
 9. The method of claim 8 further comprising: generating oneor more outliers, each outlier associated with a user; and processingthe one or more outliers by: determining privileges used by the userassociated with each of the one or more outliers; and assigningprivileges to one of the one or more outliers based on the privilegesused by the user associated with that outlier.
 10. The method of claim8, wherein assigning the permissions to each cluster comprises:determining permissions exercised by the one or more users associatedwith the cluster; and assigning a combined permission to the cluster,wherein the combined permission includes all of the permissionsexercised by the one or more users associated with the cluster.
 11. Anaccess control system comprising: a processor; a log data parserconfigured to cause the processor to receive log data observations in acloud system and extract user-permission data from the log dataobservations, wherein the log data observations include one or more useractions in the cloud system by one or more users; a feature extractorconfigured to cause the processor to extract one or more features fromthe user-permission data; a classifier configured to cause the processorto generate predictions of permissions for the one or more users basedon the extracted one or more features, wherein each prediction includesone or more permissions associated with each of the one or more users;and a policy generator configured to cause the processor to generate anaccess control policy based on at least one of the predictions ofpermissions for the one or more users.
 12. The access control system ofclaim 11 further comprising a training network configured to train theclassifier by: receiving a training log data, wherein the training logdata includes one or more training user actions in the cloud system bythe one or more users; extracting training user-permission data from thetraining log data; extracting one or more training features from thetraining user-permission data; and using the extracted training featuresto train the classifier.
 13. The access control system of claim 12,wherein the classifier includes a decision-tree (DT) classifier.
 14. Theaccess control system of claim 12, wherein the training network isconfigured to: determine first permissions associated with the one ormore users in a first operation period; determine first predictions ofpermissions associated with the one or more users in the first operationperiod; compare the first predictions and the first permissions from thefirst operation period; and determine second predictions of permissionsin a second operation period based on the comparison between the firstpredictions and the first permissions.
 15. The access control system ofclaim 14, wherein the training network is configured to compare thefirst predictions and the first permissions from the first operationperiod by: using the first permissions to test the first predictions todetermine a precision and a recall; and determining a F measure based onthe precision and the recall.
 16. A method of controlling access in acloud system, the method comprising: receiving log data observationsrecorded from the cloud system; parsing user-permission data from thelog data observations, wherein the log data observations include one ormore user actions in the cloud system by one or more users; extractingone or more features from the user-permission data; generating, by aclassifier, predictions of permissions for the one or more users basedon the extracted one or more features, wherein each prediction includesone or more permissions associated with each of the one or more users;generating an access control policy based on at least one of thepredictions of permissions for the one or more users; receiving, from auser device associated with a user, a request to access a service in thecloud system; and executing the access control policy to determinewhether to grant the request based on a permission of the userassociated with the user device.
 17. The method of claim 16 furthercomprising training the classifier by: receiving a training log data,wherein the training log data includes one or more training user actionsin the cloud system by the one or more users; extracting traininguser-permission data from the training log data; extracting one or moretraining features from the training user-permission data; and using theextracted training features to train the classifier.
 18. The method ofclaim 17, wherein the classifier includes a decision-tree (DT)classifier.
 19. The method of claim 17, wherein training the classifiercomprises: determining first permissions associated with the one or moreusers in a first operation period; determining first predictions ofpermissions associated with the one or more users in the first operationperiod; comparing the first predictions and the first permissions fromthe first operation period; and determining second predictions ofpermissions in a second operation period based on the comparison betweenthe first predictions and the first permissions.
 20. The method of claim19, wherein comparing the first predictions and the first permissionsfrom the first operation period comprises: using the first permissionsto test the first predictions to determine a precision and a recall; anddetermining a F measure based on the precision and the recall.